Azure AKS : Azure RBAC for Kubernetes Authorization

·

4 min read

Introduction

Azure AKS (Azure Kubernetes Service) is a fully managed service provided by Microsoft Azure for deploying and scaling containerized applications in the cloud using Kubernetes. This article covers the approach that allows for unified management and access control to AKS and Kubernetes resources. Traditionally access to Kubernetes resources can be provided to the users using Kubernetes RBAC policies but we are going to look at the benefits of using Azure RBAC, hoping to not complicate the Security Landscape for our future deployments.

We will not be creating any RBAC policies/roles inside the Kubernetes cluster, roles would only be created on the azure platform and mapped to namespaces inside the managed cluster. This frees us from having to create and manage separate users inside Kubernetes.

Limitations

There are a couple of caveats we should look at, even before proceeding.

  • RBAC for Kubernetes resources can be managed using Azure or through native Kubernetes RBAC policies

  • Azure AD principals will be validated exclusively by Azure RBAC while regular Kubernetes users will be exclusively validated by Kubernetes RBAC

  • It is required that we set up Managed Azure AD Integration for our Managed Cluster

  • Use kubectl v1.18.3+

  • New Role assignments take upto 5 mins to fully propagate and update

  • Azure AD and the AKS cluster should reside in the same tenant.

  • The only way to cover CRDs or Custom Role Definitions is to provide Microsoft.ContainerService/managedClusters/*/read . AKS is working to provide more granular permissions for CRDs.

Integrating Azure RBAC into an AKS cluster

We will enable azure RBAC for an existing cluster(it is not enabled by default) and then assign the default roles provided by AKS to users enabling them to execute commands using kubectl inside the cluster.

The below command enables the Azure RBAC

az aks update -g myResourceGroup -n myAKSCluster --enable-azure-rbac

Default roles for users to access the cluster

Here we will not create any roles since, 4 built-in default roles are provided by Azure

Azure Kubernetes Service RBAC Reader

  • Allows read-only access in a namespace.

  • Doesn't allow viewing roles or role bindings. This role doesn't allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace

Azure Kubernetes Service RBAC Writer

  • Allows read/write access to most objects in a namespace.

  • This role doesn't allow viewing or modifying roles or role bindings.

  • This role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.

Azure Kubernetes Service RBAC Admin

  • Allows admin access, intended to be granted within a namespace.

  • Allows reading/write access to most resources in a namespace (or cluster scope), including the ability to create roles and role bindings within the namespace.

  • This role doesn't allow write access to the resource quota or to the namespace itself.

Azure Kubernetes Service RBAC Cluster Admin

  • Allows super-user access to perform any action on any resource.

  • It gives full control over every resource in the cluster and in all namespaces.

Role Assignments

Roles are usually created by assigning the default roles to users for a particular namespace existing within the Kubernetes cluster. It is also possible to create custom role definitions as well

  • Get your AKS Cluster Resource ID using the below command in Azure CLI

AKS_ID=$(az aks show -g MyResourceGroup -n MyManagedCluster --query id -o tsv)

  • Role assignments scoped to a specific namespace within the cluster are done using the below command

az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee <AAD-ENTITY-ID> --scope $AKS_ID/namespaces/<namespace-name>

  • If you wanted to assign the role to the entire AKS Cluster we would need to change the scope to just $AKS_ID

az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee <AAD-ENTITY-ID> --scope $AKS_ID

where <AAD-ENTITY-ID> could be a username (e.g. frog@example.com) or even the ClientID of a service principal.

Checking the access provided

Looking at the previous example, if you observe we provided the access to , assuming that frog wants to check the number of nodes running in the default namespace inside MyManagedCluster, he would first have to get the cluster's kubeconfig using the below command.

az aks get-credentials -g MyResourceGroup -n MyManagedCluster

Now, frog can run commands using kubectl only for resources that he has access to.